in many respects mirrors the initiatives taken by India in it’s document on framework of cyber security.

A document issued by security brass of the country, which was reviewed by ET, cites at least 12 instances where the US order mirrors India’s cyber security framework that was drafted in 2011. These include setting out a cyber security policy, defining critical infrastructure, information sharing between departments and protection of civil liberties.

Reading this, two things jump out – the insecurity that this claim projects and the fact that frameworks and plans like these are not even worth the cost of paper it is written on [1] if it is not put to practise. Given that the GoI’s National Cyber Security Policy (Draft PDF) wants the CERT-IN to

act as a nodal agency and co-ordinate all matters related to information security in the country

we shouldn’t expect getting out of this self-dug pit any time soon.

[1] Yup, I said “paper” because, you know what, a lot of GoI reports and documents are scans of printed documents!

The DoT has decided that it will be going ahead with a 100 per cent domestic sourcing and has released a list of certified GPON suppliers. (…) Local companies that made it to the certified list include Tejas Networks, Prithvi Infosystems, Center for Development of Telematics (C-DoT), VMC Systems, Sai Systems, United Telecoms, and SM Creative.

This follows the decision by US House Intelligence Committee which branded ZTE and Huawei as national threat:

The House Intelligence Committee said that after a yearlong investigation it had come to the conclusion that the Chinese businesses, Huawei Technologies and ZTE Inc., were a national security threat because of their attempts to extract sensitive information from American companies and their loyalties to the Chinese government.

While is is good that the GoI decided to look beyond the Chinese companies when considering possible threats, the question it raises is, isn’t it turtles all the way down? Is it certified that the local companies will use 100% indigenously developed components and if not, why is it better to prefer a “Assembled in India” sticker?

The FOFN project is a high investment and long term project that will power the infrastructure of Indian network for some time to come. So it is prudent for the GoI to tighten the security but it cannot be an isolated event. Nor is it viable to blanket-ban all foreign companies and technologies from such infrastructure and other sensitive projects. I hope someone higher up is thinking and acting seriously on an Information Assurance program within the scope of Critical Infrastructure Protection.

Another week and it seems it is time for another “cyber security policy” from a GoI body. This time it seems to be the National Security Council Secretariat (NCSC), which has reportedly

come up with a comprehensive cyber security policy for upgrading the security of systems and preventing them from being hacked, attacked with malware, or intruded upon by hostile entities.

Details are sketchy, which is not a surprise. Only Hindustan Times is reporting the story and what they say is

the plan has three components that demarcate task and authority. The existing Indian Computer Emergency Response Team (CERT-IN) will be tasked to handle the commercial aspects of cyber security, including 24×7 proactive responses to hackers, cyber-attacks, intrusions and restoration of affected systems.

The second aspect of the cyber plan is the creation of a technical-professional body that certifies the security of a network to ensure the overall health of government systems. While NSCS is advocating that initially the certification of networks could be done by private agencies, the long term plan is to create a technical body of professionals, all under 40, who will form the backbone of Indian cyber security.

The third aspect of the plan is cyber defence of critical infrastructure networks that are vulnerable to hostile foreign governments or proxy entities.

This seems eerily similar to the Ministry of Information’s “National Cyber Security Policy” Discussion Draft (pdf) that was issued around this time last year. We at Takshashila had responded (pdf) to that earlier invitation for comments and from the looks of it the issues raised then still plague this policy too.

(3) Orphan Policy. Cyber security cannot be considered in a silo. Cyber security – the business of safeguarding a country’s networking and technology infrastructure, and electronic information – is a subset of national security and a cyber security policy must be congruent to a national security policy. However, as India does not have a national security policy, the cyber security policy identiﬁed in the draft is effectively a “policy orphan.” As a result, signiﬁcant gaps could exist between this policy document and what different ministries, departments and agencies assume might be India’s national security goals and priorities. While we agree that this is not something that can be remedied at one go, the orphaned nature of the cyber security policy should be recognised and its implication studied and understood.

US Homeland Security Secretary Janet Napolitano’s recent comment that the administration has and will consider the participation of private companies in “proactive” cyber “counterattacks” has received its share of attention:

In discussing the private partnerships she is promoting to combat cyberattacks, Napolitano was asked if instead of just taking defensive measures, the government and companies should be launching proactive counterattacks against foreign-based culprits. “Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” noting someone else had raised the subject with her earlier Monday.

Before analysing this development and the concept in general, it needs to be stated that there seems to be some ambiguity, at least in my mind, about the statement(s) by Napolitano. Napolitano’s use of “proactive” and “counterattack” together, as reported by San Jose Mercury News, seems confusing since “proactive” is a term that is used usually along with the concept of “defense.” In risk management lingo ‘proactive’ denotes the act of taking initiative by acting rather than reacting to threat events, while ‘reactive’ actions respond to past event(s) rather than predicting and acting before these perceived event. Thus “proactive” gels well together with “defense”, which in military literature refers to the art of preventing an attack, to mean the act of defending against an imminent attack by taking action before the act of attack has happened. This flies completely against the concept of counter-attack which is about, duh, countering an attack that has happened, something that automatically classifies the act as being reactive.

My guess is that Ms. Napolitano did mean counter-attack but by “proactive” she was trying to emphasis the fact that the reaction from the US will not be limited to acts of defense but will include counter offensive moves. Either way, I did end up smiling when I read the double negative that Ms. Napolitano used:

“Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” (…)

Now that my confusion regarding the use of “proactive counterattack” is out in the open, let us get to the main point of discussion – use of private companies in proactive cyber attacks by nation states. In traditional military engagement, private military companies have long been used to supplement the operational capability of the nation state’s army. In recent years the role has increasingly moved from support of military personnels in areas like security of the military base, protecting the convoy etc., to a more traditional role played by active military personnels as part of an active war operation. The case of Academi (previously Blackwater) is a prime example of such private military companies.

The reasons have been numerous, the cost being the obvious but not the main one, which is to avoid scrutiny, including Congressional oversight in the US, that seems to be reseved for the military personnels of the nation-state. A similar reasoning can be used within the cyberspace as well. Private companies engaged in cyber operations, regardless of its nature (defensive, offensive, counter-attack, proactive), can be set up to evade deep scrutiny and congressional oversight. This gives them the flexibility to be a lot more liberal about the means and mechanisms used without having to worry about repercussions.

The practice also provides a good means to exploit the attribution problem, which has so far been an issue rather than a way out for the US (pdf). By engaging private civilian companies it becomes harder for the subject of the attacks to concretely state that they were indeed targeted by the US. Even if they did, the fact that the attacks cannot be tracked back to hav been originated from the networks of the US military complex gives the US enough excuses to assert that they were not aware of nor authorised such attacks. Such a setup has been used with good results by the Chinese and the Russians.

In the narrower context of counter-attacks, the domain of cyber differs from the rest of the domain of land, sea, air and space in a crucial way in that the conduits/medium that are used for the attacks, the networks consisting of the backbone of routers, cables and other physical and software based systems, are owned by private companies. The four traditional domains differ from cyber domain in that in each of the four cases, the conduit of attack (land, sea, air and space respectively) are usually owned, at least in the extended sense of the word, by the nation states that is attacking or being attacked. This makes it easier for constructing a case for involving private companies since after all they are direct front line causalities in the event of an attack.

Another reason is of course the simple practical fact that the talent pool of experts expands drastically if private companies are also considered as part of the “recruitment” space. Cyber is the only domain in the list of five where the private sector holds a big pie of capable, qualified individuals who can provide service in these operations. Public-private partnerships just makes sense.

The wholesale hiring of “ethical hackers” by NTRO, as reported by news outlets provides a seemingly similar setup in India with the crucial disadvantage that these “hired helps” are still directly associated with NTRO and hence NTRO can and will be held accountable for their actions, negating some of the crucial advantages of using private companies/individuals. What is needed is a deeper and longer term relationship between the government and private companies that makes defending the infrastructures that they both rely on as the central theme and working on means to do that, be it defensive postures or offensive gestures.

There are of course risks involved. Command structure gets blurred when the military structure merges with the private sector and without one, controlling these private parties becomes a risky process that cannot be taken for granted. This has been seen again and again in cases related to Blackwater. What if an unapproved action from the part of the private contractor is judged as an act of war by the other party and leads to a confrontational situation? A similar situation can arise when wrong magnitude of (counter)attack force is applied accidentally or otherwise by these third parties.

All these point to fact that use of private companies in cyber operations is tactically a good move and some would argue, a necessity. However it cannot be done at the drop of a hat since the “rules of engagement” is bound to be fickle in such symbiotic associations.

Imagine a makeshift stall peddling pirated CDs, DVDs and other mediums of music, movies and software. Now imagine a new law that tries to put the stall out of business by disrupting the transport service that takes people to the store, preventing the banks from processing the money that the stall owner tries to deposits and preventing the stall owner from using the stall for any other revenue generating work. Translate this into the online world and you get a rough idea of the scope of the “Stop Online Piracy Act” (SOPA) bill that was introduced in the US House of Representatives and the equivalent “PROTECT IP Act” (PIPA) bill that was introduced in the US Senate in late 2011.

(…)

Head over there and post your comments, or of course, put them down here too.

First it was the American and then the Israelis and then the joint US-Israel angle and now, we have the Russians as suspected makers of Stuxnet. Now, I ask you, why not the Indians? Don’t bother to answer, it was a rhetorical question – I know the odds against it!

On a more serious note, the article linking Russians to Stuxnet does everything except link them. It goes on to provide a good old Cold War story of why the Russians would want to sabotage the Iranian nuclear program

“their companies’ profit margins will benefit as long as the Iranians keep Russian scientists and engineers in country, who can oversee Iranian nuclear progress”

and why they would rather let the American and Israelis be given the credit

“its designers wouldn’t want it traced back to the Kremlin, and so it would have to appear as if it were a clandestine operation by an adversary that didn’t have access to the gateway entry points”

It even goes on to speculate on Russian expertise

“Russian scientists and engineers are familiar with the cascading centrifuges whose numbers and configuration – and Siemen’s SCADA PLC controller schematics – they have full access to by virtue of designing the plants.”

What is missing, of course, is the tiniest shred of evidence supporting this claim or even circumstantial evidence that Russian possesses enough cyber power to carry out such a well orchestrated cyber attack.

Rohan Joshi and your truly have a brief in August 2011 edition of Pragati covering the “weird” compromise of National Security Guards’ website and the downtime of National Investigation Agency’s website.

Defacement of websites is a routine occurrence and usually not a cause of major concern, apart from the embarrassment caused by the negative publicity. However, unauthorised access to the email system is a different matter altogether. Depending upon the practices being followed, this could either have leaked encrypted digital communication between various officials in NSG and beyond, which would be of no practical use to the attacker, or could have revealed unencrypted emails discussing sensitive topics. The details have been sketchy but at least one media report states that the computer system used by an arm major-general had been ‘hacked’ into, as it was discovered that a number of “letters” were sent on the behalf of the general officer.

After the brief was sent off to the editors, the Minister of State for Communications and Information Technology, Sachin Pilot, told the Lok Sabha via a written reply that a total of 117 Government websites were defaced during the period January – June, 2011. With regards to the situation of the NIA’s website the press release goes on to say:

The reply further stated that the information on the website of National Investigation Agency (NIA) is temporarily disabled. Since the website of National Investigation Agency was not hacked, no inquiry in this regard has been conducted.

It has been a month since the website was taken down and it still is in the state of “maintenance“, which begs the question – why just the NIA website? It sure does looks like the site was compromised in some form or the other. Will we ever know the truth about what was compromised? Unlikely!

The Department of Information Technology, Government of India issued a discussion draft on National Cyber Security Policy (pdf) on 26th March 2011 and invited comments on it. In our opinion this draft of the national policy is a considerable initial step and the government should be commended for being attuned to the threats and challenges facing the management of cyberspace and taking steps to address them. We feel that the document substantially addresses several areas and processes related to cyber security, particularly incident response, vulnerability management and infrastructure security.

However, we have identified some areas of improvement, including scope, ownership, resource allocation and management, technical and non-technical controls, which we present for the government’s consideration. This Takshashila policy advisory document (pdf) provides comments and feedback on the draft.

Feel free to provide your input on the original discussion draft or our response to it, in the comment section below.

The Internet Corporation for Assigned Names and Numbers (ICANN), the body responsible for the management of the top-level domain name space, recently approved the establishment of the top-level domain (TLD) “.xxx” as a sponsored TLD. The domain is currently intended as a (voluntary) option for pornographic sites. The Indian government, or at least one of its officials, promptly threatened to exercise its censorship scissors by declaring the intention to block access to .xxx domains:

“India along with many other countries from the Middle East and Indonesia opposed the grant of the domain in the first place, and we would proceed to block the whole domain, as it goes against the IT Act and Indian laws,” said a senior official at the ministry of IT. “Though some people have said that segregation is better, and some countries allow it. But for other nations transmission and direct distribution of such content goes against their moral and culture,” he added.

There seems to be nothing official about the statement, other than that it was uttered by “a senior official at the ministry of IT” but it wouldn’t be surprising that this is indeed the stand of the ministry on this matter, especially if precedence is considered.

The Information Technology (Amendment) Act, 2008 that the official mentions, defines the prohibition on “lascivious” and “sexually explicit” in Chapter Paragraphs 67 and 67 A as:

67. Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description fora term which may extend to three years and with fine which may extend to five lakhrupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.

67 A Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees andin the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.

Not surprisingly, the Act does not define or clarify as to what constitutes transmission and publishing but what is interesting is that paragraph 69 provides the intermediaries (like ISPs) protection from liability (up to an extent) of the content it is carrying. This means that as long as the .xxx domains are hosted outside India, by organisations without a presence in India, there doesn’t seem to be any automatic way for the block to be set in place unless the provisions in paragraph 69 A are exercised by the government:

69A. (1) Where the Central Government or any of its officer specially authorised by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereigntyand integrity of India, defence of India, security of the State, friendly relations with foreignStates or public order or for preventing incitement to the commission of any cognizableoffence relating to above, it may subject to the provisions of sub-section (2), for reasons tobe recorded in writing, by order, direct any agency of the Government or intermediary toblock for access by the public or cause to be blocked for access by the public any informationgenerated, transmitted, received, stored or hosted in any computer resource.

Given that the most likely interpretation of paragraph 67 does not make it a crime to view (not transmit or publish) pornography online, the stage is set for a good tussle between the government and those who object to the moral policing by the government. Also interesting is the attitude of the government to non-.xxx domains that host pornographic material. The use of .xxx domains is voluntary and it is unlikely that pornographic content will be confined to the sTLD. So far the government has not actively blocked every pornographic content online, so a question that someone wanting to question the .xxx block could ask, is why they are being singled out.

Those who have been following the saga of the .xxx TLD application within ICANN would remember the warning provided by the Governmental Advisory Committee (GAC) of ICANN when they stated in their San Francisco Communique (pdf):

the GAC would like to inform the ICANN Board that an introduction of a .xxx TLD into the root might lead to steps taken by some governments to prohibit access to this TLD. The GAC therefore calls the Board’s attention to concerns expressed by experts that such steps bear a potential risk/threat to the universal resolvability and stability of the DNS.

The GAC must be doing the “We told you so!” dance. Blocking/filtering exists at various scales and at various levels though most do not happen at the DNS level. Given that blocking of the .xxx domain will most likely involve a DNS level block and the history of incorrectly implementing blocks and filters by Indian ISPs, it is not far-fetched to be alarmed that the stability of the DNS is threatened, as pointed out by the GAC. What would of course follow is a cat and mouse game between technically savvy users would try and consider ways to circumvent the block (there are several ways based on how the blockis implemented) and the government/ISPs that tries to prevent “depravation and corruption”.

Minister of State for Communications & Information Technology has provided the official version of the impact of Stuxnet on critical infrastructures in India. In a reply to a written question in Rajya Sabha on 11th March, he provided the information that:

Some computer systems in India were also infected by the Stuxnet, but none of the infections have so far been reported in sensitive Industrial systems.

He then goes on to explain the steps being taken to tackle the problem of virus and protection of sensitive installations in the country, which includes the use of alerts and advisories being produced by CERT-In and workshops being conducted by it. With such a mandate one would assume CERT-In is on the top of things at least when it comes to issuing advisories. Not so! They issued the advisory on Stuxnet on July 23rd 2010, long after Virusblokada reported W32.Stuxnet (June 17), Microsoft issued the advisory 2286198 (July 16) and after Siemens report that it is investigating reports that the malware is infecting the SCADA systems (July 19). With such a lag in issuing the advisory, it would be hard to give CERT-In any credit for the reported absence of Stuxnet in “sensitive Industrial systems”.

As usual these official press releases opens up more questions. For one, where exactly were the computer systems that were infected by Stuxnet found? This is second to the more intriguing question – what is with the title of the press release – “Protection of Sensitive Installations from but ‘Free Virus’”?